nzbdwin_beta folder: Malware ... coin miner

Get help with all aspects of SABnzbd
Forum rules
Help us help you:
  • Are you using the latest stable version of SABnzbd? Downloads page.
  • Tell us what system you run SABnzbd on.
  • Adhere to the forum rules.
  • Do you experience problems during downloading?
    Check your connection in Status and Interface settings window.
    Use Test Server in Config > Servers.
    We will probably ask you to do a test using only basic settings.
  • Do you experience problems during repair or unpacking?
    Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
Post Reply
crispen8
Newbie
Newbie
Posts: 2
Joined: March 27th, 2017, 7:32 pm

nzbdwin_beta folder: Malware ... coin miner

Post by crispen8 »

Hi,

Yesterday I got a warning from Bitdefender referencing a program in the nzbdwin_beta folder which appeared in the SABnzbd complete folder.
Is this legit? Or a virus/trojan etc?
The folder gets recreated after I delete it.
I've googled it with no result, and Malwarebytes scan didn't detect any malware/spyware.

Sincerely,
Lowell

User avatar
safihre
Administrator
Administrator
Posts: 4244
Joined: April 30th, 2015, 7:35 am
Contact:

Re: nzbdwin_beta folder

Post by safihre »

nzbdwin_beta is not something SABnzbd creates.
Or is this maybe the name of one of your folders in Config > Folders?
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate

crispen8
Newbie
Newbie
Posts: 2
Joined: March 27th, 2017, 7:32 pm

Re: nzbdwin_beta folder

Post by crispen8 »

Was listed in the Config > Folders > Scripts field .
What is the default for this field?
I didn't change this.

User avatar
safihre
Administrator
Administrator
Posts: 4244
Joined: April 30th, 2015, 7:35 am
Contact:

Re: nzbdwin_beta folder

Post by safihre »

No, it's not default. You can remove it.
Are you really really sure you didn't set that yourself?
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate

imaxst
Newbie
Newbie
Posts: 3
Joined: April 13th, 2021, 7:28 am

Re: nzbdwin_beta folder

Post by imaxst »

I noticed this folder the other day after my CPU usage hit 100%. It was running XMRIG miner. I'm not sure where it came from and I did not run any exe files I think it must have exploited a post processing script.

imaxst
Newbie
Newbie
Posts: 3
Joined: April 13th, 2021, 7:28 am

Re: nzbdwin_beta folder

Post by imaxst »

From Reddit

So its a Crypto miner, it uses two cron.bat files to have SABNzbd open itself.

@echo off
cd /d %1
start "" "search_indexer.exe" & exit


@echo off
goto start:
########################################
### NZBGET POST-PROCESSING SCRIPT ###
:start
cd /d %NZBPP_DIRECTORY%
start search_indexer.exe
exit /b 93

User avatar
safihre
Administrator
Administrator
Posts: 4244
Joined: April 30th, 2015, 7:35 am
Contact:

Re: nzbdwin_beta folder

Post by safihre »

Is your Sabnzbd exposed to the internet without username and password?
If you like our support, check our special newsserver deal or donate at: https://sabnzbd.org/donate

imaxst
Newbie
Newbie
Posts: 3
Joined: April 13th, 2021, 7:28 am

Re: nzbdwin_beta folder: Malware ... coin miner

Post by imaxst »

Not any longer

User avatar
sander
Release Testers
Release Testers
Posts: 7437
Joined: January 22nd, 2008, 2:22 pm

Re: nzbdwin_beta folder: Malware ... coin miner

Post by sander »

imaxst wrote:
April 14th, 2021, 10:39 am
Not any longer
Clever! ;)

User avatar
sander
Release Testers
Release Testers
Posts: 7437
Joined: January 22nd, 2008, 2:22 pm

Re: nzbdwin_beta folder: Malware ... coin miner

Post by sander »

Oh, everybody: to avoid this in the future:

1) don't have your SAB-webgui unprotected open to Internet: at least put a password on it. Plus: put it on a less well known port, like 49231
2) in SABnzbd, at Unwanted Extensions, fill out EXE, COM, BAT

starmanj
Newbie
Newbie
Posts: 3
Joined: April 14th, 2021, 1:55 pm

Re: nzbdwin_beta folder: Malware ... coin miner

Post by starmanj »

I'm getting this malware now.
Now that I'm infected, how do I stop the cron process that is repeatedly running? I added username and password so it stopped downloading the stuff...

User avatar
sander
Release Testers
Release Testers
Posts: 7437
Joined: January 22nd, 2008, 2:22 pm

Re: nzbdwin_beta folder: Malware ... coin miner

Post by sander »

starmanj wrote:
April 14th, 2021, 3:39 pm
I'm getting this malware now.
Now that I'm infected, how do I stop the cron process that is repeatedly running? I added username and password so it stopped downloading the stuff...
cron process? That sounds Linux, but the malware is Windows (AFAIK) ... so can you explain?

Post Reply